* [Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed. @ 2020-06-16 15:33 Bugs SysSec 2020-08-11 2:10 ` [Bug 1883729] " Alexander Bulekov ` (6 more replies) 0 siblings, 7 replies; 8+ messages in thread From: Bugs SysSec @ 2020-06-16 15:33 UTC (permalink / raw) To: qemu-devel Public bug reported: To reproduce run the QEMU with the following command line: ``` qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio ``` QEMU Version: ``` # qemu-5.0.0 $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make $ x86_64-softmmu/qemu-system-x86_64 --version QEMU emulator version 5.0.0 Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers ``` ** Affects: qemu Importance: Undecided Status: New ** Attachment added: "xhci_assert3.zip" https://bugs.launchpad.net/bugs/1883729/+attachment/5384432/+files/xhci_assert3.zip -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1883729 Title: xhci_find_stream: Assertion `streamid != 0' failed. Status in QEMU: New Bug description: To reproduce run the QEMU with the following command line: ``` qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio ``` QEMU Version: ``` # qemu-5.0.0 $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make $ x86_64-softmmu/qemu-system-x86_64 --version QEMU emulator version 5.0.0 Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers ``` To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed. 2020-06-16 15:33 [Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed Bugs SysSec @ 2020-08-11 2:10 ` Alexander Bulekov 2021-05-11 5:31 ` Thomas Huth ` (5 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Alexander Bulekov @ 2020-08-11 2:10 UTC (permalink / raw) To: qemu-devel Attaching a QTest reproducer. ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci -trace usb\* \ -device usb-audio -device usb-storage,drive=mydrive \ -drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \ -nodefaults -nographic -qtest stdio < repro Close to the crash: 21000@1597111713.503068:usb_xhci_slot_configure slotid 58 21000@1597111713.503074:usb_xhci_ep_disable slotid 58, epid 2 21000@1597111713.503077:usb_xhci_ep_enable slotid 58, epid 2 21000@1597111713.503085:usb_xhci_ep_disable slotid 58, epid 6 21000@1597111713.503088:usb_xhci_ep_enable slotid 58, epid 6 21000@1597111713.503092:usb_xhci_ep_disable slotid 58, epid 24 21000@1597111713.503095:usb_xhci_ep_enable slotid 58, epid 24 21000@1597111713.503099:usb_xhci_ep_disable slotid 58, epid 25 21000@1597111713.503102:usb_xhci_ep_enable slotid 58, epid 25 21000@1597111713.503106:usb_xhci_ep_disable slotid 58, epid 29 21000@1597111713.503109:usb_xhci_ep_enable slotid 58, epid 29 21000@1597111713.503113:usb_xhci_ep_disable slotid 58, epid 30 21000@1597111713.503116:usb_xhci_ep_enable slotid 58, epid 30 21000@1597111713.503121:usb_xhci_fetch_trb addr 0x0000000000000b20, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700 21000@1597111713.503127:usb_xhci_slot_enable slotid 59 21000@1597111713.503130:usb_xhci_fetch_trb addr 0x0000000000000b30, CR_SET_TR_DEQUEUE, p 0x0000000000000000, s 0x00000000, c 0x00004300 21000@1597111713.503135:usb_xhci_fetch_trb addr 0x0000000000000b40, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700 21000@1597111713.503140:usb_xhci_slot_enable slotid 60 21000@1597111713.503143:usb_xhci_fetch_trb addr 0x0000000000000b50, CR_EVALUATE_CONTEXT, p 0x0000000000000000, s 0x00000000, c 0x00003600 21000@1597111713.503149:usb_xhci_fetch_trb addr 0x0000000000000b60, CR_STOP_ENDPOINT, p 0x0000000000000000, s 0x00000000, c 0x3afd3c00 21000@1597111713.503154:usb_xhci_ep_stop slotid 58, epid 29 21000@1597111713.503159:usb_xhci_ep_state slotid 58, epid 29, running -> stopped 21000@1597111713.503163:usb_xhci_fetch_trb addr 0x0000000000000b70, CR_ENABLE_SLOT, p 0x0000000000000000, s 0x00000000, c 0x00002700 21000@1597111713.503168:usb_xhci_slot_enable slotid 61 21000@1597111713.503171:usb_xhci_fetch_trb addr 0x0000000000000b80, CR_SET_TR_DEQUEUE, p 0x0000000000000000, s 0x00000000, c 0x3afd4300 21000@1597111713.503177:usb_xhci_ep_set_dequeue slotid 58, epid 29, streamid 0, ptr 0x0000000000000000 qemu-system-i386: hw/usb/hcd-xhci.c:1016: XHCIStreamContext *xhci_find_stream(XHCIEPContext *, unsigned int, uint32_t *): Assertion `streamid != 0' failed. Aborted ** Attachment added: "repro" https://bugs.launchpad.net/qemu/+bug/1883729/+attachment/5400547/+files/repro -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1883729 Title: xhci_find_stream: Assertion `streamid != 0' failed. Status in QEMU: New Bug description: To reproduce run the QEMU with the following command line: ``` qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio ``` QEMU Version: ``` # qemu-5.0.0 $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make $ x86_64-softmmu/qemu-system-x86_64 --version QEMU emulator version 5.0.0 Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers ``` To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed. 2020-06-16 15:33 [Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed Bugs SysSec 2020-08-11 2:10 ` [Bug 1883729] " Alexander Bulekov @ 2021-05-11 5:31 ` Thomas Huth 2021-05-11 17:08 ` Thomas Huth ` (4 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Thomas Huth @ 2021-05-11 5:31 UTC (permalink / raw) To: qemu-devel ** Tags added: usb -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1883729 Title: xhci_find_stream: Assertion `streamid != 0' failed. Status in QEMU: New Bug description: To reproduce run the QEMU with the following command line: ``` qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio ``` QEMU Version: ``` # qemu-5.0.0 $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make $ x86_64-softmmu/qemu-system-x86_64 --version QEMU emulator version 5.0.0 Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers ``` To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed. 2020-06-16 15:33 [Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed Bugs SysSec 2020-08-11 2:10 ` [Bug 1883729] " Alexander Bulekov 2021-05-11 5:31 ` Thomas Huth @ 2021-05-11 17:08 ` Thomas Huth 2021-05-11 17:51 ` Alexander Bulekov ` (3 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Thomas Huth @ 2021-05-11 17:08 UTC (permalink / raw) To: qemu-devel Can you still reproduce this assertion with the latest version 6.0 of QEMU? ... I cannot trigger it here, so I assume this issue has been fixed? ** Changed in: qemu Status: New => Incomplete -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1883729 Title: xhci_find_stream: Assertion `streamid != 0' failed. Status in QEMU: Incomplete Bug description: To reproduce run the QEMU with the following command line: ``` qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio ``` QEMU Version: ``` # qemu-5.0.0 $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make $ x86_64-softmmu/qemu-system-x86_64 --version QEMU emulator version 5.0.0 Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers ``` To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed. 2020-06-16 15:33 [Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed Bugs SysSec ` (2 preceding siblings ...) 2021-05-11 17:08 ` Thomas Huth @ 2021-05-11 17:51 ` Alexander Bulekov 2021-05-11 17:52 ` Alexander Bulekov ` (2 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Alexander Bulekov @ 2021-05-11 17:51 UTC (permalink / raw) To: qemu-devel I don't think it is fixed yet.. This is https://bugs.chromium.org/p/oss- fuzz/issues/detail?id=28571#c4 Bash Reproducer: ./qemu-system-i386 -display none -machine accel=qtest, -m 512M \ -machine q35 -nodefaults -drive \ file=null-co://,if=none,format=raw,id=disk0 -device qemu-xhci,id=xhci \ -device usb-tablet,bus=xhci.0 -device usb-bot -device \ usb-storage,drive=disk0 -chardev null,id=cd0 -chardev null,id=cd1 \ -device usb-braille,chardev=cd0 -device usb-ccid -device usb-ccid \ -device usb-kbd -device usb-mouse -device usb-serial,chardev=cd1 -device\ usb-tablet -device usb-wacom-tablet -device usb-audio -qtest /dev/null \ -qtest stdio < attachment Testcase: /* * Autogenerated Fuzzer Test Case * * Copyright (c) 2021 <name of author> * * This work is licensed under the terms of the GNU GPL, version 2 or later. * See the COPYING file in the top-level directory. */ #include "qemu/osdep.h" #include "libqos/libqtest.h" static void test_fuzz(void) { QTestState *s = qtest_init( "-display none , -m 512M -machine q35 -nodefaults -drive " "file=null-co://,if=none,format=raw,id=disk0 -device qemu-xhci,id=xhci -device " "usb-tablet,bus=xhci.0 -device usb-bot -device usb-storage,drive=disk0 -chardev " "null,id=cd0 -chardev null,id=cd1 -device usb-braille,chardev=cd0 -device " "usb-ccid -device usb-ccid -device usb-kbd -device usb-mouse -device " "usb-serial,chardev=cd1 -device usb-tablet -device usb-wacom-tablet -device " "usb-audio -qtest /dev/null"); qtest_outl(s, 0xcf8, 0x80000816); qtest_outl(s, 0xcfc, 0xffff); qtest_outl(s, 0xcf8, 0x80000803); qtest_outl(s, 0xcfc, 0x0600); qtest_outl(s, 0xcf8, 0x80000810); qtest_outl(s, 0xcfc, 0x2e654000); qtest_writel(s, 0xffff00002e654040, 0xffffff05); qtest_bufwrite(s, 0x4d, "\x04", 0x1); qtest_bufwrite(s, 0x5d, "\x04", 0x1); qtest_bufwrite(s, 0x6d, "\x04", 0x1); qtest_bufwrite(s, 0x7d, "\x04", 0x1); qtest_bufwrite(s, 0x8d, "\x04", 0x1); qtest_bufwrite(s, 0x9d, "\x04", 0x1); qtest_bufwrite(s, 0xad, "\x04", 0x1); qtest_bufwrite(s, 0xbd, "\x04", 0x1); qtest_bufwrite(s, 0xcd, "\x04", 0x1); qtest_bufwrite(s, 0xdd, "\x04", 0x1); qtest_bufwrite(s, 0xed, "\x04", 0x1); qtest_bufwrite(s, 0xfd, "\x04", 0x1); qtest_bufwrite(s, 0x10d, "\x04", 0x1); qtest_bufwrite(s, 0x11d, "\x04", 0x1); qtest_bufwrite(s, 0x12d, "\x04", 0x1); qtest_bufwrite(s, 0x13d, "\x04", 0x1); qtest_bufwrite(s, 0x14d, "\x04", 0x1); qtest_bufwrite(s, 0x15d, "\x04", 0x1); qtest_bufwrite(s, 0x16d, "\x04", 0x1); qtest_bufwrite(s, 0x17d, "\x04", 0x1); qtest_bufwrite(s, 0x18d, "\x04", 0x1); qtest_bufwrite(s, 0x19d, "\x04", 0x1); qtest_bufwrite(s, 0x1ad, "\x04", 0x1); qtest_bufwrite(s, 0x1bd, "\x04", 0x1); qtest_bufwrite(s, 0x1cd, "\x04", 0x1); qtest_bufwrite(s, 0x1dd, "\x04", 0x1); qtest_bufwrite(s, 0x1ed, "\x04", 0x1); qtest_bufwrite(s, 0x1fd, "\x04", 0x1); qtest_bufwrite(s, 0x20d, "\x04", 0x1); qtest_bufwrite(s, 0x21d, "\x04", 0x1); qtest_bufwrite(s, 0x22d, "\x04", 0x1); qtest_bufwrite(s, 0x23d, "\x04", 0x1); qtest_bufwrite(s, 0x24d, "\x04", 0x1); qtest_bufwrite(s, 0x25d, "\x04", 0x1); qtest_bufwrite(s, 0x26d, "\x04", 0x1); qtest_bufwrite(s, 0x27d, "\x04", 0x1); qtest_bufwrite(s, 0x28d, "\x04", 0x1); qtest_bufwrite(s, 0x29d, "\x04", 0x1); qtest_bufwrite(s, 0x2ad, "\x04", 0x1); qtest_bufwrite(s, 0x2bd, "\x04", 0x1); qtest_bufwrite(s, 0x2cd, "\x04", 0x1); qtest_bufwrite(s, 0x2dd, "\x04", 0x1); qtest_bufwrite(s, 0x2ed, "\x04", 0x1); qtest_bufwrite(s, 0x2fd, "\x04", 0x1); qtest_bufwrite(s, 0x30d, "\x04", 0x1); qtest_bufwrite(s, 0x31d, "\x04", 0x1); qtest_bufwrite(s, 0x32d, "\x04", 0x1); qtest_bufwrite(s, 0x33d, "\x04", 0x1); qtest_bufwrite(s, 0x34d, "\x04", 0x1); qtest_bufwrite(s, 0x35d, "\x04", 0x1); qtest_bufwrite(s, 0x36d, "\x04", 0x1); qtest_bufwrite(s, 0x37d, "\x04", 0x1); qtest_bufwrite(s, 0x38d, "\x04", 0x1); qtest_bufwrite(s, 0x39d, "\x04", 0x1); qtest_bufwrite(s, 0x3ad, "\x04", 0x1); qtest_bufwrite(s, 0x3bd, "\x04", 0x1); qtest_bufwrite(s, 0x3cd, "\x04", 0x1); qtest_bufwrite(s, 0x3dd, "\x04", 0x1); qtest_bufwrite(s, 0x3ed, "\x04", 0x1); qtest_bufwrite(s, 0x3fd, "\x04", 0x1); qtest_bufwrite(s, 0x40d, "\x04", 0x1); qtest_bufwrite(s, 0x41d, "\x04", 0x1); qtest_bufwrite(s, 0x42d, "\x04", 0x1); qtest_bufwrite(s, 0x43d, "\x04", 0x1); qtest_bufwrite(s, 0x44d, "\x04", 0x1); qtest_bufwrite(s, 0x45d, "\x04", 0x1); qtest_bufwrite(s, 0x46d, "\x04", 0x1); qtest_bufwrite(s, 0x47d, "\x04", 0x1); qtest_bufwrite(s, 0x48d, "\x04", 0x1); qtest_bufwrite(s, 0x49d, "\x04", 0x1); qtest_bufwrite(s, 0x4ad, "\x04", 0x1); qtest_bufwrite(s, 0x4bd, "\x04", 0x1); qtest_bufwrite(s, 0x4cd, "\x04", 0x1); qtest_bufwrite(s, 0x4dd, "\x04", 0x1); qtest_bufwrite(s, 0x4ed, "\x04", 0x1); qtest_bufwrite(s, 0x4fd, "\x04", 0x1); qtest_bufwrite(s, 0x50d, "\x04", 0x1); qtest_bufwrite(s, 0x51d, "\x04", 0x1); qtest_bufwrite(s, 0x52d, "\x04", 0x1); qtest_bufwrite(s, 0x53d, "\x04", 0x1); qtest_bufwrite(s, 0x54d, "\x04", 0x1); qtest_bufwrite(s, 0x55d, "\x04", 0x1); qtest_bufwrite(s, 0x56d, "\x04", 0x1); qtest_bufwrite(s, 0x57d, "\x04", 0x1); qtest_bufwrite(s, 0x58d, "\x04", 0x1); qtest_bufwrite(s, 0x59d, "\x04", 0x1); qtest_bufwrite(s, 0x5ad, "\x04", 0x1); qtest_bufwrite(s, 0x5bd, "\x04", 0x1); qtest_bufwrite(s, 0x5cd, "\x04", 0x1); qtest_bufwrite(s, 0x5dd, "\x04", 0x1); qtest_bufwrite(s, 0x5ed, "\x04", 0x1); qtest_bufwrite(s, 0x5fd, "\x04", 0x1); qtest_bufwrite(s, 0x60d, "\x04", 0x1); qtest_bufwrite(s, 0x61d, "\x04", 0x1); qtest_bufwrite(s, 0x62d, "\x04", 0x1); qtest_bufwrite(s, 0x63d, "\x04", 0x1); qtest_bufwrite(s, 0x64d, "\x04", 0x1); qtest_bufwrite(s, 0x65d, "\x04", 0x1); qtest_bufwrite(s, 0x66d, "\x04", 0x1); qtest_bufwrite(s, 0x67d, "\x04", 0x1); qtest_bufwrite(s, 0x68d, "\x04", 0x1); qtest_bufwrite(s, 0x69d, "\x04", 0x1); qtest_bufwrite(s, 0x6ad, "\x04", 0x1); qtest_bufwrite(s, 0x6bd, "\x04", 0x1); qtest_bufwrite(s, 0x6cd, "\x04", 0x1); qtest_bufwrite(s, 0x6dd, "\x04", 0x1); qtest_bufwrite(s, 0x6ed, "\x04", 0x1); qtest_bufwrite(s, 0x6fd, "\x04", 0x1); qtest_bufwrite(s, 0x70d, "\x04", 0x1); qtest_bufwrite(s, 0x71d, "\x04", 0x1); qtest_bufwrite(s, 0x72d, "\x04", 0x1); qtest_bufwrite(s, 0x73d, "\x04", 0x1); qtest_bufwrite(s, 0x74d, "\x04", 0x1); qtest_bufwrite(s, 0x75d, "\x04", 0x1); qtest_bufwrite(s, 0x76d, "\x04", 0x1); qtest_bufwrite(s, 0x77d, "\x04", 0x1); qtest_bufwrite(s, 0x78d, "\x04", 0x1); qtest_bufwrite(s, 0x79d, "\x04", 0x1); qtest_bufwrite(s, 0x7ad, "\x04", 0x1); qtest_bufwrite(s, 0x7bd, "\x04", 0x1); qtest_bufwrite(s, 0x7cd, "\x04", 0x1); qtest_bufwrite(s, 0x7dd, "\x04", 0x1); qtest_bufwrite(s, 0x7ed, "\x04", 0x1); qtest_bufwrite(s, 0x7fd, "\x04", 0x1); qtest_bufwrite(s, 0x80d, "\x04", 0x1); qtest_bufwrite(s, 0x81d, "\x04", 0x1); qtest_bufwrite(s, 0x82d, "\x04", 0x1); qtest_bufwrite(s, 0x83d, "\x04", 0x1); qtest_bufwrite(s, 0x84d, "\x04", 0x1); qtest_bufwrite(s, 0x85d, "\x04", 0x1); qtest_bufwrite(s, 0x86d, "\x04", 0x1); qtest_bufwrite(s, 0x87d, "\x04", 0x1); qtest_bufwrite(s, 0x88d, "\x04", 0x1); qtest_bufwrite(s, 0x89d, "\x04", 0x1); qtest_bufwrite(s, 0x8ad, "\x04", 0x1); qtest_bufwrite(s, 0x8bd, "\x04", 0x1); qtest_bufwrite(s, 0x8cd, "\x04", 0x1); qtest_bufwrite(s, 0x8dd, "\x04", 0x1); qtest_bufwrite(s, 0x8ed, "\x04", 0x1); qtest_bufwrite(s, 0x8fd, "\x04", 0x1); qtest_bufwrite(s, 0x90d, "\x04", 0x1); qtest_bufwrite(s, 0x91d, "\x04", 0x1); qtest_bufwrite(s, 0x92d, "\x04", 0x1); qtest_bufwrite(s, 0x93d, "\x04", 0x1); qtest_bufwrite(s, 0x94d, "\x04", 0x1); qtest_bufwrite(s, 0x95d, "\x04", 0x1); qtest_bufwrite(s, 0x96d, "\x04", 0x1); qtest_bufwrite(s, 0x97d, "\x04", 0x1); qtest_bufwrite(s, 0x98d, "\x04", 0x1); qtest_bufwrite(s, 0x99d, "\x04", 0x1); qtest_bufwrite(s, 0x9ad, "\x04", 0x1); qtest_bufwrite(s, 0x9bd, "\x04", 0x1); qtest_bufwrite(s, 0x9cd, "\x04", 0x1); qtest_bufwrite(s, 0x9dd, "\x04", 0x1); qtest_bufwrite(s, 0x9ed, "\x04", 0x1); qtest_bufwrite(s, 0x9fd, "\x04", 0x1); qtest_bufwrite(s, 0xa0d, "\x04", 0x1); qtest_bufwrite(s, 0xa1d, "\x04", 0x1); qtest_bufwrite(s, 0xa2d, "\x04", 0x1); qtest_bufwrite(s, 0xa3d, "\x04", 0x1); qtest_bufwrite(s, 0xa4d, "\x04", 0x1); qtest_bufwrite(s, 0xa5d, "\x04", 0x1); qtest_bufwrite(s, 0xa6d, "\x04", 0x1); qtest_bufwrite(s, 0xa7d, "\x04", 0x1); qtest_bufwrite(s, 0xa8d, "\x04", 0x1); qtest_bufwrite(s, 0xa9d, "\x04", 0x1); qtest_bufwrite(s, 0xaad, "\x04", 0x1); qtest_bufwrite(s, 0xabd, "\x04", 0x1); qtest_bufwrite(s, 0xacd, "\x04", 0x1); qtest_bufwrite(s, 0xadd, "\x04", 0x1); qtest_bufwrite(s, 0xaed, "\x04", 0x1); qtest_bufwrite(s, 0xafd, "\x04", 0x1); qtest_bufwrite(s, 0xb0d, "\x04", 0x1); qtest_bufwrite(s, 0xb1d, "\x04", 0x1); qtest_bufwrite(s, 0xb2d, "\x04", 0x1); qtest_bufwrite(s, 0xb3d, "\x04", 0x1); qtest_bufwrite(s, 0xb4d, "\x04", 0x1); qtest_bufwrite(s, 0xb5d, "\x04", 0x1); qtest_bufwrite(s, 0xb6d, "\x04", 0x1); qtest_bufwrite(s, 0xb7d, "\x04", 0x1); qtest_bufwrite(s, 0xb8d, "\x04", 0x1); qtest_bufwrite(s, 0xb9d, "\x04", 0x1); qtest_bufwrite(s, 0xbad, "\x04", 0x1); qtest_bufwrite(s, 0xbbd, "\x04", 0x1); qtest_bufwrite(s, 0xbcd, "\x04", 0x1); qtest_bufwrite(s, 0xbdd, "\x04", 0x1); qtest_bufwrite(s, 0xbed, "\x04", 0x1); qtest_bufwrite(s, 0xbfd, "\x04", 0x1); qtest_bufwrite(s, 0xc0d, "\x04", 0x1); qtest_bufwrite(s, 0xc1d, "\x04", 0x1); qtest_bufwrite(s, 0xc2d, "\x04", 0x1); qtest_bufwrite(s, 0xc3d, "\x04", 0x1); qtest_bufwrite(s, 0xc4d, "\x04", 0x1); qtest_bufwrite(s, 0xc5d, "\x04", 0x1); qtest_bufwrite(s, 0xc6d, "\x04", 0x1); qtest_bufwrite(s, 0xc7d, "\x04", 0x1); qtest_bufwrite(s, 0xc8d, "\x04", 0x1); qtest_bufwrite(s, 0xc9d, "\x04", 0x1); qtest_bufwrite(s, 0xcad, "\x04", 0x1); qtest_bufwrite(s, 0xcbd, "\x04", 0x1); qtest_bufwrite(s, 0xccd, "\x04", 0x1); qtest_bufwrite(s, 0xcdd, "\x04", 0x1); qtest_bufwrite(s, 0xced, "\x04", 0x1); qtest_bufwrite(s, 0xcfd, "\x04", 0x1); qtest_bufwrite(s, 0xd0d, "\x04", 0x1); qtest_bufwrite(s, 0xd1d, "\x04", 0x1); qtest_bufwrite(s, 0xd2d, "\x04", 0x1); qtest_bufwrite(s, 0xd3d, "\x04", 0x1); qtest_bufwrite(s, 0xd4d, "\x04", 0x1); qtest_bufwrite(s, 0xd5d, "\x04", 0x1); qtest_bufwrite(s, 0xd6d, "\x04", 0x1); qtest_bufwrite(s, 0xd7d, "\x04", 0x1); qtest_bufwrite(s, 0xd8d, "\x04", 0x1); qtest_bufwrite(s, 0xd9d, "\x04", 0x1); qtest_bufwrite(s, 0xdad, "\x04", 0x1); qtest_bufwrite(s, 0xdbd, "\x04", 0x1); qtest_bufwrite(s, 0xdcd, "\x04", 0x1); qtest_bufwrite(s, 0xddd, "\x04", 0x1); qtest_bufwrite(s, 0xded, "\x04", 0x1); qtest_bufwrite(s, 0xdfd, "\x04", 0x1); qtest_bufwrite(s, 0xe0d, "\x04", 0x1); qtest_bufwrite(s, 0xe1d, "\x04", 0x1); qtest_bufwrite(s, 0xe2d, "\x04", 0x1); qtest_bufwrite(s, 0xe3d, "\x04", 0x1); qtest_bufwrite(s, 0xe4d, "\x04", 0x1); qtest_bufwrite(s, 0xe5d, "\x04", 0x1); qtest_bufwrite(s, 0xe6d, "\x04", 0x1); qtest_bufwrite(s, 0xe7d, "\x04", 0x1); qtest_bufwrite(s, 0xe8d, "\x04", 0x1); qtest_bufwrite(s, 0xe9d, "\x04", 0x1); qtest_bufwrite(s, 0xead, "\x04", 0x1); qtest_bufwrite(s, 0xebd, "\x04", 0x1); qtest_bufwrite(s, 0xecd, "\x04", 0x1); qtest_bufwrite(s, 0xedd, "\x04", 0x1); qtest_bufwrite(s, 0xeed, "\x04", 0x1); qtest_bufwrite(s, 0xefd, "\x04", 0x1); qtest_bufwrite(s, 0xf0d, "\x04", 0x1); qtest_bufwrite(s, 0xf1d, "\x04", 0x1); qtest_bufwrite(s, 0xf2d, "\x04", 0x1); qtest_bufwrite(s, 0xf3d, "\x04", 0x1); qtest_bufwrite(s, 0xf4d, "\x04", 0x1); qtest_bufwrite(s, 0xf5d, "\x04", 0x1); qtest_bufwrite(s, 0xf6d, "\x04", 0x1); qtest_bufwrite(s, 0xf7d, "\x04", 0x1); qtest_bufwrite(s, 0xf8d, "\x04", 0x1); qtest_bufwrite(s, 0xf9d, "\x04", 0x1); qtest_bufwrite(s, 0xfad, "\x04", 0x1); qtest_bufwrite(s, 0xfbd, "\x04", 0x1); qtest_bufwrite(s, 0xfcd, "\x04", 0x1); qtest_bufwrite(s, 0xfdd, "\x04", 0x1); qtest_bufwrite(s, 0xfed, "\x24", 0x1); qtest_bufwrite(s, 0xffd, "\x24", 0x1); qtest_bufwrite(s, 0x100d, "\x24", 0x1); qtest_bufwrite(s, 0x101d, "\x24", 0x1); qtest_bufwrite(s, 0x102d, "\x24", 0x1); qtest_bufwrite(s, 0x1041, "\x6d", 0x1); qtest_bufwrite(s, 0x104d, "\x2c", 0x1); qtest_bufwrite(s, 0x104f, "\x05", 0x1); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_bufwrite(s, 0x6d04, "\x03", 0x1); qtest_bufwrite(s, 0x6d26, "\x04", 0x1); qtest_bufwrite(s, 0x6d41, "\x04", 0x1); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_writel(s, 0xffff00002e656000, 0x0); qtest_bufwrite(s, 0xffff00002e656014, "\x01\x00\x00\x00", 0x4); qtest_quit(s); } int main(int argc, char **argv) { const char *arch = qtest_get_arch(); g_test_init(&argc, &argv, NULL); if (strcmp(arch, "i386") == 0) { qtest_add_func("fuzz/test_fuzz", test_fuzz); } return g_test_run(); } -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1883729 Title: xhci_find_stream: Assertion `streamid != 0' failed. Status in QEMU: Incomplete Bug description: To reproduce run the QEMU with the following command line: ``` qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio ``` QEMU Version: ``` # qemu-5.0.0 $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make $ x86_64-softmmu/qemu-system-x86_64 --version QEMU emulator version 5.0.0 Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers ``` To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed. 2020-06-16 15:33 [Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed Bugs SysSec ` (3 preceding siblings ...) 2021-05-11 17:51 ` Alexander Bulekov @ 2021-05-11 17:52 ` Alexander Bulekov 2021-05-12 5:02 ` Thomas Huth 2021-05-12 11:01 ` Thomas Huth 6 siblings, 0 replies; 8+ messages in thread From: Alexander Bulekov @ 2021-05-11 17:52 UTC (permalink / raw) To: qemu-devel ** Attachment added: "attachment" https://bugs.launchpad.net/qemu/+bug/1883729/+attachment/5496430/+files/attachment -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1883729 Title: xhci_find_stream: Assertion `streamid != 0' failed. Status in QEMU: Incomplete Bug description: To reproduce run the QEMU with the following command line: ``` qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio ``` QEMU Version: ``` # qemu-5.0.0 $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make $ x86_64-softmmu/qemu-system-x86_64 --version QEMU emulator version 5.0.0 Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers ``` To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed. 2020-06-16 15:33 [Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed Bugs SysSec ` (4 preceding siblings ...) 2021-05-11 17:52 ` Alexander Bulekov @ 2021-05-12 5:02 ` Thomas Huth 2021-05-12 11:01 ` Thomas Huth 6 siblings, 0 replies; 8+ messages in thread From: Thomas Huth @ 2021-05-12 5:02 UTC (permalink / raw) To: qemu-devel Ok, with the new attachment from comment #5, I can also reporoduce the bug again. It does not reproduce with the attachments from comment #1 or #2 anymore, so this now seems to be a different way to run into this assert. Anyway, setting the status back to Confirmed since it is reproducible again. ** Changed in: qemu Status: Incomplete => Confirmed -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1883729 Title: xhci_find_stream: Assertion `streamid != 0' failed. Status in QEMU: Confirmed Bug description: To reproduce run the QEMU with the following command line: ``` qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio ``` QEMU Version: ``` # qemu-5.0.0 $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make $ x86_64-softmmu/qemu-system-x86_64 --version QEMU emulator version 5.0.0 Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers ``` To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 1883729] Re: xhci_find_stream: Assertion `streamid != 0' failed. 2020-06-16 15:33 [Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed Bugs SysSec ` (5 preceding siblings ...) 2021-05-12 5:02 ` Thomas Huth @ 2021-05-12 11:01 ` Thomas Huth 6 siblings, 0 replies; 8+ messages in thread From: Thomas Huth @ 2021-05-12 11:01 UTC (permalink / raw) To: qemu-devel This is an automated cleanup. This bug report has been moved to QEMU's new bug tracker on gitlab.com and thus gets marked as 'expired' now. Please continue with the discussion here: https://gitlab.com/qemu-project/qemu/-/issues/273 ** Changed in: qemu Status: Confirmed => Expired ** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #273 https://gitlab.com/qemu-project/qemu/-/issues/273 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1883729 Title: xhci_find_stream: Assertion `streamid != 0' failed. Status in QEMU: Expired Bug description: To reproduce run the QEMU with the following command line: ``` qemu-system-x86_64 -cdrom hypertrash_os_bios_crash.iso -nographic -m 100 -enable-kvm -device virtio-gpu-pci -device nec-usb-xhci -device usb-audio ``` QEMU Version: ``` # qemu-5.0.0 $ ./configure --target-list=x86_64-softmmu --enable-sanitizers; make $ x86_64-softmmu/qemu-system-x86_64 --version QEMU emulator version 5.0.0 Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers ``` To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1883729/+subscriptions ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-05-12 11:16 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-06-16 15:33 [Bug 1883729] [NEW] xhci_find_stream: Assertion `streamid != 0' failed Bugs SysSec 2020-08-11 2:10 ` [Bug 1883729] " Alexander Bulekov 2021-05-11 5:31 ` Thomas Huth 2021-05-11 17:08 ` Thomas Huth 2021-05-11 17:51 ` Alexander Bulekov 2021-05-11 17:52 ` Alexander Bulekov 2021-05-12 5:02 ` Thomas Huth 2021-05-12 11:01 ` Thomas Huth
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.